Google has announced that they plan to reward researchers who aim to "improve the security of key third-party software critical to the health of the entire Internet" with "down-to-earth, proactive improvements that go beyond merely fixing a known security bug."

The open source projects for whose patches researchers can get rewarded are currently core infrastructure network services such as OpenSSH, BIND, ISC DHCP; image parsers such as libjpeg, libjpeg-turbo, libpng, giflib; open source foundations of Google Chrome (Chromium, Blink); high-impact libraries such as OpenSSL and zlib, and security-critical components of the Linux kernel (including the Kernel-based Virtual Machine).

In the coming weeks and months, the program will include popular webservers, SMTP services, OpenVPN, GCC, binutils, llvm, and more.

"We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire," explained Google security team member Michal Zalewski. "In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it."

The company explained that this time there will be no rewards for fixing individual bugs, because "quite a few vulnerabilities trace back to preventable coding mistakes, or are made easier to exploit due to the absence of simple mitigation techniques," and they are hoping to improve security from the bottom up.

All in all, on this particular program, Google will have little to do with the actual submissions, as the researchers are asked to submit the patches directly to the maintainers of each of the aforementioned projects.

Once a submission is accepted and included in the final code of the software, the researchers can submit the entry to Google, and the reward panel will decide how big a reward it deserves - usually from $500 to $3,133.7, but occasionally even higher it the submission is "unusually clever or complex".

Examples of qualifying submissions include improvements to privilege separation, memory allocator hardening, cleanups of integer arithmetics, systematic fixes for various types of race conditions, and elimination of error-prone design patterns or library calls.

Spotlight

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Learn about personal data bankruptcy and the cost of privacy, security and compliance, delivering digital security to a mobile world, and much more.

As ISPs, hosting providers and online enterprises around the world continue suffering the effects of DDoS attacks, often the discussions that follow are, “What is the best way to defend our networks and our customers against an attack?”

The code redirects visitors to another URL where the Fiesta exploit kit is hosted, which then tries to detect and exploit several vulnerabilities in various software. If it succeeds, the visitors are saddled with a banking Trojan.

Looking for an Android-based tablet for your child but don't know which one to choose? If you are concerned about the device's protection against random hackers, Bluebox Security has just released a review of the nine most popular Android tablet models aimed specifically at children.